Compliance White Papers

Is your business located in Houston, Dallas, Austin, San Antonio – essentially, anywhere in the Lone Star State – and you need to have a SOC 1 SSAE 18 audit performed, then take note of the following information, courtesy of NDNB, Texas’ leading providers of SSAE 18 SOC 1, SOC 2, and SOC 3 regulatory compliance assessments.

Essential Points You Need to Know About SSAE 18 SOC 1 Audits

Start with a SSAE 18 SOC 1 Scoping & Readiness Assessment. New to the world of SSAE 18 SOC 1 compliance? Unsure as to where to begin in terms of assessing your internal controls? Need assistance with identifying gaps, deficiencies, and areas of concern? All signs therefore point to performing an SSAE 18 SOC 1 scoping & readiness assessment by a qualified, competent CPA firm, such as NDNB.

When completed, your assessment will have successfully identified all gaps and constraints, provided a formal roadmap for achieving compliance, along with offering numerous best practices for ensuring the safety and security of critical organizational assets. Performing such an assessment is a win-win, so contact NDNB today to learn more.

Be Mindful of Remediation that Will Have to be Performed. Having a picture perfect, completely compliant, 100% full-proof set of internal controls is what every business strives for, but the truth is that rarely does this occur. Because of this, every business – and we mean “every business” – should expect some degree of remediation to be undertaken.

Businesses in Denver and all throughout Colorado and the Rockies can now gain a comprehensive introduction and overview of SOC 1 SSAE 18 audits, courtesy of NDNB, Colorado’s leading provider of SOC 1, SOC 2, and SOC 3 assessments. With regulatory compliance mandates growing larger and larger each year for Colorado businesses – especially when it comes to SOC 1 SSAE 18 compliance, SOC 2, PCI DSS, FISMA, HIPAA, and ISO mandates – a proven and trusted firm is needed for navigating the rough waters of compliance.

NDNB is that very firm, offering exceptional service and fixed fee pricing on all engagements. Colorado’s tech industry is experiencing massive growth – which is great for our state – but it also means large regulatory compliance mandates are looming just around the corner, so get prepared and talk to the experts today at NDNB.

We’re a Household Name in the Rockies for Regulatory Compliance

NDB has spent years offering regulatory compliance services and solutions to businesses all throughout the state of Colorado, and with the growing technology corridor in Denver and Boulder, our services are expanding also. Whatever your compliance needs are, from SOC 1, SOC 2 and SOC 3 audits to FISMA compliance, we’ll be with you every step of the way for ensuring an efficient and comprehensive audit process from beginning to end – that’s the NDNB difference.

NDNB offers both SSAE 18 SOC 1 & SOC 2 audit reports – at fixed fees – for payroll companies throughout North America, and select international regions. The growth in regulatory compliance for payroll companies has ushered in yet another wave of audit demands, with many such companies choosing either the SOC 1 and/or the SOC 2 standard for service organization reporting.

Payroll companies have always been on the front line of regulatory compliance as they handle highly sensitive and confidential information, along with conducting critical batch processing initiatives for clients. Because of this, the confidentiality, integrity, and availability (CIA) of the entire payroll processing platform is what’s often tested for compliance with SOC 1 & SOC 2 audits.

9 Things Payroll Companies Need to Know About SOC 1/SOC 2 Audits

With that said, it’s important that payroll companies understand the following scope considerations for such an engagement for ensuring they meet and can exceed auditor demands for a successful SOC 1 & SOC 2 audit:

1. Executive tone of management: The policies, procedures, and processes for how management “manages” the organization, effectively known as the “tone at the top”. For example, are meetings held on a regular basis, is risk assessed and analyzed often, are marketing priorities and forecasting considerations undertaken, along with many other critical management initiatives?

3. Policies and Procedures: One of the most fundamentally important aspects of meeting SOC 1 and/or SOC 2 compliance for payroll companies is ensuring that all relevant policies, procedures, and processes are documented. Easier said than done as most companies fail miserably when it comes to policy development. NDNB offers a complimentary SOC 1 and SOC 2 Policy Packet for every client we engage with, ultimately saving businesses hundreds of hours and thousands of dollars in compliance costs.

4. Software development life cycle: Payroll companies utilizing their own internally developed systems and applications for payroll processing and other supporting services will undoubtedly have to include their SDLC platform within the scope of a SOC 1 and/or SOC 2 assessment. This means having highly formalized and documented Systems Development Life Cycle policies, procedures, and related processes.

A background on SOC 1 (SSAE 16/SSAE 18) compliance ultimately requires an understanding and introduction to the AICPA Service Organization Control (SOC) frameworkand the concept of ICFR; Internal Controls over Financial Reporting. SSAE 16 – short for Statement on Standards for Attestation Engagements number 16, effectively replaced the antiquated and often misused historical SAS 70 auditing standard. Then, SSAE 16 itself was superseded by SSAE 18 for SOC reports datee on or after May 1, 2017. Now’s the time for you to develop a clearer and more wide-ranging sense of what, exactly, SSAE 16 is and requires.

There are two important points you should be aware of as you navigate the challenging new landscape of SOC compliance in the SOC 1 (SSAE 16/SSAE 18) era. First, SOC 1 (SSAE 16/SSAE 18) is part of the AICPA SOC framework, and, second, SOC 1 (SSAE 16/SSAE 18) assessments are performed on service organizations exhibiting a true and credible nexus to the ICFR concept.

Getting Familiar with the AICPA SOC Framework

What is the SOC framework? With so many service organizations appearing on the financial market with various requirements for reporting, the American Institute of Certified Public Accountants (often known by its acronym, AICPA) engineered a wide-ranging platform called Service Organization Control reports, or SOC for short. This all-encompassing platform is comprised of three different kinds of reports, known as SOC 1, SOC 2, and SOC 3, respectively. Each of these offer service organizations a powerful and – most importantly, flexible – tool for describing the numerous factors at play in creating the economic landscape around their organization.

This is a vast improvement on the SAS 70 auditing standard, with was often accused of applying a uniform approach to service organization reporting on controls without the capacity to reflect or respond to a service organization's individual needs and situation.

Now, this problem is all but solved, as the emergence of the AICPA SSAE 18 standard becomes the main professional standard available for issuing all SOC 1 reports. Getting to know the details of the SSAE 18 standard may be difficult for those service organizations used to using the now defunct SAS 70 (and superseded SSAE 16 auditing protocols) – which were almost universally applied – but the benefits of utilizing SSAE 18 far outweigh the challenges.

Here are a few important terms to familiarize yourself with:

SOC 1 Reporting is used to issue SSAE 18 Type 1 or Type 2 Reports.

SOC 2 Reporting: Uses the AICPA AT Section 101 Professional Standard and can be used to generate either Type 1 or Type 2 reports.

SOC 3 Reporting makes use of the SysTrust/Webtrust set of assurance services (aka “Trust Services”) which serve as a vast umbrella term for a number of criteria and requirements jointly developed by the CICA and AICPA.

Understanding SOC 1 SSAE 18 and the ICFR Concept

One of the most vital parts of a SOC 1 (SSAE 16/SSAE 18) assessment contain “control objective(s)” which are able to reflect and report a service organization's internal control over financial reporting, a term more often understood by its popular acronym, ICFR. What that means, in layman's terms, for you as a service organization, is that if you’re providing services that can impact a client’s financial reporting, then you’ll need to assess your ICFR related controls.

If you're not sure of the answer or have difficulty supplying documentary evidence to support your response, you might consider opting for SOC 2 or SOC 3 reporting instead, if you find that SOC 1 (SSAE 16/SSAE 18) is not an appropriate fit. To be clear, some user organizations and companies making use of an auditor might be unsure of their status and erroneously request SOC 1 (SSAE 16/SSAE 18) compliance despite not having direct applicability to ICFR.

When you're looking at the extent to which ICFR functions are covered and recorded by the user organization, you should start by looking at whether there's any financial data the service organization has provided directly that can also be found – in number or data form – on the user organization's financial statements. Make sure you know whether your service organization is providing any specific services that would have any influence on a) any kind of record-keeping, including accounting entries or even estimations of a user organization or b) any power to authorize transactions, such as the recognition of revenue, capital expenditures, or expense scheduling, as well as c) any physical possession of any elements, whether liability or asset, that could be found on a user's financials.

The reports we're discussing, SOC 1 (SSAE 16/SSAE 18), are designed as a conversation between auditor and auditor about what ICFR functions are already in place (that's what Type 1 is for) and their operating effectiveness (Type 2) at measuring and managing audit risk as well as detection risk: information that is useful not only to external auditors but also for auditors working at or in the user organization.

By and large, the ideal companies to undertake SOC 1 (SSAE 16/SSAE 18) compliance are those such as TPAs (Third Party Administrators, payroll processors, registered investment advisors (RIA), or actuarial/trust services. What's important is that you're able to recognize a strong bond between the ICFR concept and the SOC 1 (SSAE 16/SSAE 18) reporting framework.

Example of SOC 1 (SSAE 16/SSAE 18) and ICFR Applicability

To use one example: in a given service organization (let's say, a payroll processor), various calculations derived from user input are used to determine things such as payroll taxes, expenses, accrued payroll, accrued vacation deferral, qualified and non-qualified deferred plan accruals, and similar estimates and calculations about future financial activity that will have an impact on the financial statements of the user organizations they represent.

This is an ideal example of ICFR, as the service organization administers direct control over the statements of the firm using its services. Call and speak directly with Christopher G. Nickell, CPA, at This email address is being protected from spambots. You need JavaScript enabled to view it. or at 1-800-277-5415, ext. 706 to learn more about SOC 1 (SSAE 16/SSAE 18) reporting and to receive a competitive, fixed-fee.

Service Organization Control (SOC) 1 reports are performed in accordance with Statement on Standards for Attestation Engagements (SSAE) No. 18. SSAE 18 has essentially replaced the aging and historical SAS 70 and SSAE 16 auditing standards for reporting periods dated on or after May 1, 2017. Much like SAS 70, SSAE 18 provides two (2) reporting options; Type 1 a service organization's system and the suitability of the design of controls", while a SOC 1 SSAE 18 Type 2 Report is officially a "Report on management's description of a service organization's system and the suitability of the design and operating effectiveness of controls".

1. SOC 1 vs. SOC 2 for Data Centers. A growing debate amongst practitioners in the world of regulatory compliance is “what’s a better fit” for data center compliance, SOC 1 SSAE 18 Type 2 reporting or SOC 2 AT 101 reporting? This debate has intensified in recent years, as both sides put forth credible merits for using either SOC 1 or SOC 2. Interestingly, many CPA firms now actually issue both SOC 1 and SOC 2 reports for data centers, with the SOC 2 report many times limited to just one or two of the actual five (5) Trust Services Principles. Whichever reporting option you choose, you should be fine (provided your SOC 1 report includes ICFR control tests), just remember to educate your clients on why you’ve chosen one over the other. If you decide to follow the trend of conducting both SOC 1 and SOC 2 reports, then you’re obviously fine.

2. Important Scope Considerations. Data centers are a business model like no other, offering a multitude of products and services for meeting customer’s needs and demands. It’s critically important to develop an audit scope that covers the minimum industry accepted baseline controls, while also providing any additional scope parameters for specialized services, such as managed hosting, cloud platforms. As for the “minimum industry accepted baseline controls”, a data center should include testing for the following operational and information security areas:

3. Managed Services.Many data centers offer much more than just traditional “ping, power, and pipe” - specifically - growing service lines include that of managed services for O/S and even application levels. Depending on customer needs, requirements, and overall expectations, SOC 1 SSAE 18 Type 2 data center compliance should include testing of these environments in regards to any number of control considerations, ranging from user access, network monitoring and performance, backups, etc. This is where’s it’s critical to communicate with all intended parties regarding the contents of such a report as expectations need to be met for comprehensive reporting.

4. SOC 1 SSAE 18 Type 2 Reporting Platform. “Flexibility” – it’s probably one of the best words to describe the SOC 1 SSAE 18 Type 2 reporting platform as it allows service organizations to essentially develop and test for controls they deem in-scope and relevant. Ultimately, this allows data centers to test a wide-array of control objectives for compliance, which provides tremendous value – according to supporters of the SSAE 18 standard for data centers.

5. SOC 2 AT 101 Reporting Platform.“Prescriptive” – without question the best term used to describe SOC 2 reporting as the Trust Services Principles (TSP) provide clear language on the relevant “criteria” to test for. Supporters of SOC 2 compliance reporting for data centers see this as comprehensive framework for testing a wide-array of technology related platforms, especially considering that there’s five (5) TSP to choose from.

6. Audit Efficiencies for SOC 1 | SOC2 and more. With an ever growing list of regulatory compliance mandates, it’s critically important to begin undertaking audit efficiencies – specifically – collecting essential evidence for overlapping areas of today’s main compliance initiatives. Hiring a proven and trusted audit firm – such as NDNB Accountants & Consultants – can make all the difference in time and money spent on.